Description
Quill provides simple mac binary signing and notarization from any platform. Quill before version v0.7.1 has unbounded reads of HTTP response bodies during the Apple notarization process. Exploitation requires the ability to modify API responses from Apple's notarization service, which is not possible under standard network conditions due to HTTPS with proper TLS certificate validation; however, environments with TLS-intercepting proxies (common in corporate networks), compromised certificate authorities, or other trust boundary violations are at risk. When processing HTTP responses during notarization, Quill reads the entire response body into memory without any size limit. An attacker who can control or modify the response content can return an arbitrarily large payload, causing the Quill client to run out of memory and crash. The impact is limited to availability; there is no effect on confidentiality or integrity. Both the Quill CLI and library are affected when used to perform notarization operations. This vulnerability is fixed in 0.7.1.
Published: 2026-03-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service – Availability loss due to unbounded memory consumption during notarization
Action: Immediate Patch
AI Analysis

Impact

Quill performs an unbounded read of HTTP response bodies during Apple notarization, buffering the entire response into memory without imposing a size limit. If an attacker can alter the response payload, they can cause the client to consume excessive memory and crash, leading to a denial of service. This weakness is identified as CWE‑770; it does not affect confidentiality or integrity.

Affected Systems

All releases of Anchore Quill (both CLI and underlying library) prior to version 0.7.1 are affected when performing notarization operations. The issue was fixed in 0.7.1 and later.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity denial‑of‑service flaw, while the EPSS score of less than 1 % suggests a low likelihood of exploitation in the near term. The advisory states that exploitation requires the ability to modify Apple’s notarization service responses, which is normally prevented by HTTPS with proper TLS certificate validation. However, environments that use TLS‑intercepting proxies, have compromised certificate authorities, or otherwise violate the trust boundary are at risk. The likely attack vector is therefore inferred to involve TLS interception or CA compromise. Because the exploit depends on such uncommon conditions, the overall risk is moderate and largely contingent on the presence of these network vulnerabilities.

Generated by OpenCVE AI on March 17, 2026 at 17:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Quill release (0.7.1 or newer) to eliminate the unbounded memory read.
  • Verify that the network path to Apple’s notarization service does not include TLS‑intercepting proxies or tampered certificate authorities.
  • If upgrading immediately is not possible, restrict notarization traffic to trusted, non‑intercepted network segments.

Generated by OpenCVE AI on March 17, 2026 at 17:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g32c-4pvp-769g Quill has DoS via unbounded read of HTTP response body during notarization
History

Mon, 16 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:anchore:quill:*:*:*:*:*:*:*:*

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Anchore
Anchore quill
Vendors & Products Anchore
Anchore quill

Wed, 11 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description Quill provides simple mac binary signing and notarization from any platform. Quill before version v0.7.1 has unbounded reads of HTTP response bodies during the Apple notarization process. Exploitation requires the ability to modify API responses from Apple's notarization service, which is not possible under standard network conditions due to HTTPS with proper TLS certificate validation; however, environments with TLS-intercepting proxies (common in corporate networks), compromised certificate authorities, or other trust boundary violations are at risk. When processing HTTP responses during notarization, Quill reads the entire response body into memory without any size limit. An attacker who can control or modify the response content can return an arbitrarily large payload, causing the Quill client to run out of memory and crash. The impact is limited to availability; there is no effect on confidentiality or integrity. Both the Quill CLI and library are affected when used to perform notarization operations. This vulnerability is fixed in 0.7.1.
Title DoS in Quill via unbounded read of HTTP response body during notarization
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Anchore Quill
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T19:58:33.103Z

Reserved: 2026-03-10T15:40:10.482Z

Link: CVE-2026-31960

cve-icon Vulnrichment

Updated: 2026-03-12T19:58:30.269Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T20:16:16.940

Modified: 2026-03-16T19:19:38.717

Link: CVE-2026-31960

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:29:15Z

Weaknesses